4 Answers
4

Classes, components, and nodes
introduce a new scope. Puppet is
currently dynamically scoped, which
means that scope hierarchies are
created based on where the code is
evaluated instead of where the code is
defined.

So $myfwrules is scoped into the class it's defined in. In your case you're scoping it into class webappfoo, where it has no knowledge of any previously defined $myfwrules. You can bodge around this but a better approach might be to use definitions. Something like this (untested, YMMV, etc):

This way you have a reusable way to add rules into your classes without needing to define variables and worry about scope. You'll end up with a bunch of Exec resources (Exec["rule-webappfoo"], Exec["rule-postfix"]) representing node foo's ruleset.

Edit: this is just an example to demonstrate how definitions might be used. It's not meant to be problem-free solution. For a start, there are issues around the order in which rules might be applied (could use before/after, perhaps), and the efficiency of calling /sbin/iptables every time.

Yeah but ... iptables was an example. There are other cases I'm interested in. And anyway, I don't want Puppet to run /sbin/iptables -- it's not idempotent first of all --, I want it to generate /etc/sysconfig/iptables, so that I may choose to start it, or ont.
–
niXarAug 21 '09 at 22:48

My answer was an example too :~) You can create files by having the define generate fragments which are assembled by another exec process. This is a bit ugly but about the only way at the moment; your array-appending dream just can't be done because the way scoping works.
–
markdraytonAug 22 '09 at 5:23

is it still the case in puppet 2.6.x ? Anybody has some notices about a road-map for a better alternative to the client side file concatenation ?
–
AlberTMar 24 '11 at 16:00

This iptables module seems to be the only way to do what I want; it's basically a script which takes files in an iptables.d/ directory and builds /etc/sysconfig/iptables from it. This is probably what I'm going to use; but I feel that this kind of pattern should be possible in Puppet itself.